Access tokens are used to authenticate users. They are generated by API consumers and need to be passed in the incoming API requests. The API key (i.e., the generated access token) is a simple string that is passed as an HTTP header. For example, "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a." It works equally well for SOAP and REST calls.

Authorizing requests coming to published APIs using access tokens helps you prevent DoS attacks. If the token passed with a request is invalid, the API Manager discards that request in the first stage of processing itself.

Application Access Tokens: Tokens to identify and authenticate an entire application. An application is a logical collection of many APIs. With a single application access token, you can invoke all of these APIs.

User Access Tokens: Tokens to identify the final user of an application. For example, the final user of a mobile application deployed on different devices.

In WSO2 API Manager the access token must be unique for the following combinations - CONSUMER_KEY, AUTHZ_USER, USER_TYPE, TOKEN_STATE, TOKEN_STATE_ID and TOKEN_SCOPE. The latter mentioned constraint is defined in the IDN_OAUTH2_ACCESS_TOKEN table. Therefore, it is not possible to have more than one Access Token for any of the above combinations.

Let's take a look at how to generate and renew each type of access token.

Generating application access tokens

Tokens to authenticate an application, which is a logical collection of APIs. You can access all APIs associated with an application using a single token, and also subscribe multiple times to a single API with different SLA levels. Application access tokens leverage OAuth2 to provide simple key management.

The steps below describe how to generate/renew application access tokens:

Log in to the API Store.

Click the Applications menu and open the application for which you want to generate an access token.

Click the Production Keys tab and click Generate Keys to create an application access token. You can use this token to invoke all APIs that you subscribe to using the same application.

In the Access token validity period field, you set an expiration period determining the validity period of the token after generation. Set to a negative value to ensure that the token never expires. Also see Changing the default token expiration time.

Tip: When you generate access tokens to APIs protected by scope/s, you can select the scope/s and then generate the token for it.

Generating user access tokens

Tokens to authenticate the final user of an API and are valid for all APIs subscribed to a user via a particular application. User access tokens allow you to invoke an API even from a third-party application like a mobile app. You generate/renew a user access token by calling the Login API through a REST client. For more information, see Token API.

By default, access tokens, consumer keys, and consumer secrets are not saved in an encrypted format in the database. An admin can enable encryption following the instructions in Encrypting OAuth Keys.

Tip: If you want to keep authorization headers in messages that are going out from the API Gateway, an admin can go to the <API Gateway Node>/repository/conf/api-manager.xml file, uncomment the <RemoveOAuthHeadersFromOutMessage> element, set its value to false and then restart the server to apply the changes.

Note that when a user is deleted, the access token is automatically invalidated.

Generating access tokens per device

WSO2 API Manager returns the same token repeatedly if a valid token exists for the requesting Application, on behalf of the user. However, the latter mentioned scenario becomes an issue if the same user is using the same Application in two devices (e.g., If you have two instances of the same Application running on your iPhone and iPad, and your iPhone already has a token on behalf of you, your iPad will get the same token if you requested for it within the same validity period. Therefore, if one of your devices revoke this token (e.g., revoke on logout), the token that you obtained for your other device becomes invalid as the devices use the identical tokens.

To overcome this problem, WSO2 API Manager provides a mechanism, with the use of OAuth2.0 Scopes, for obtaining a unique Access Token for each device that uses the same Application. Thereby, allowing users to request tokens for different scopes. You need to prefix the scope names with the string "device_". WSO2 API Manager uses special treatment for the scopes that are prefixed with the latter mentioned string by ignoring the usual validations it does when issuing tokens that are associated to scopes. The following is a sample cURL command that you can use to request a token with a "device_" scope.

Each token request that is made with a different scope, results in a different access token being issued. For example if you received a token named abc as a result of the scope device_ipad, you will not receive abc when you request for the token with the scope device_iphone. Note that you can use device_ scopes in conjunction with other scopes as usual.

Renewing application access tokens

When an application access token expires, consumers can refresh the token by logging into the API Store, opening the application and clicking Re-generate in the Production Keys tab. You can also specify a token expiration time for the application access token. Set to a negative value to ensure that the token never expires.

Renewing user access tokens

To renew a user token, issue a REST call to the WSO2 Login API through a REST client. For more information, see Renew User Tokens.

Changing the default token expiration time

Access tokens have an expiration time, which is set to 60 minutes by default.

To change the default expiration time of application access tokens,

Change the value of the <AccessTokenDefaultValidityPeriod> element in the <APIM_HOME>/repository/conf/identity/identity.xml file. Set to a negative value to ensure that the token never expires. Changes to this value are applied only to the new applications that you create.

Alternatively, you can set a default expiration time through the UI when generating/regenerating the application access token. This is explained in previous sections.

Similarly, to change the default expiration time of user access tokens, edit the value of the <UserAccessTokenDefaultValidityPeriod> element in the identity.xml file.